CVE-2024-28252

Name of the Vulnerable Software and Affected Versions CoreWCF versions prior to 1.4.2 CoreWCF versions prior to 1.5.2

Description The issue affects NetFraming based CoreWCF services, where extra system resources could be consumed by connections being left established instead of closing or aborting them. This can happen in two scenarios: when a client establishes a connection to the service and sends no data, the service will wait indefinitely for the client to initiate the NetFraming session handshake, and when a client has established a session but doesn't send any requests for the period of time configured in the binding ReceiveTimeout, the connection is not properly closed as part of the session being aborted. The bindings affected by this behavior are NetTcpBinding, NetNamedPipeBinding, and UnixDomainSocketBinding. Only NetTcpBinding has the ability to accept non-local connections.

Recommendations For CoreWCF versions prior to 1.4.2, upgrade to version 1.4.2 or later. For CoreWCF versions prior to 1.5.2, upgrade to version 1.5.2 or later. As a temporary workaround, consider restricting access to the vulnerable bindings, specifically NetTcpBinding, NetNamedPipeBinding, and UnixDomainSocketBinding, to minimize the risk of exploitation. Note that there are no workarounds for this issue, and users are advised to upgrade to the fixed versions.